We use cookies to customise content for your subscription and for analytics.
If you continue to browse the International Law Office website, we will assume you are happy to receive all of our cookies. For further information please read our Cookie Policy.

Data protection authority to attack social plug-ins - International Law Office

International Law Office

IT & Internet - Germany

Data protection authority to attack social plug-ins

February 21 2012

Introduction
Legal situation
Possible solutions
Comment


Introduction

Social plug-ins, such as the popular Facebook 'Like' button, are increasingly coming under pressure as several German data protection authorities (DPAs) have expressed their concern about compliance with German data protection and media laws. Shortly after Germany's northernmost DPA in the state of Schleswig-Holstein set a late September 2011 deadline for website providers to remove social plug-ins from websites, other DPAs in Germany expressed similar views. In case of non-compliance, administrative fines of up to €50,000 may be imposed. According to press reports, first-public providers (ie, administrations and local authorities) have already followed this request and taken down social plug-ins from their sites.

Legal situation

Following the DPAs' statements, the transfer of website users' personal data to the United States is of particular concern. Moreover, the DPAs have pointed out that submitted personal data might be combined and used in the form of user profiles.

The DPAs take the position that the collection, transfer and processing of users' personal data via social plug-ins is contrary to German data protection and media laws for the following reasons:

  • There is no valid user consent based on the terms and conditions of Facebook and other social media;
  • A legally required notice on the right to object is not provided; and
  • User consent (opt-in) must be obtained in order to install cookies on users' browsers.

The position taken by the DPAs is unsurprising. In late April 2011, the Berlin Higher Regional Court indicated in a ruling that the implementation of Facebook's 'Like' button may be problematic with respect to data protection law. However, the court did not reach a final conclusion on the issue, as it was not relevant in the specific case. Also, some DPAs had already expressed concerns about social plug-ins in the past.

From a technical point of view, the implementation of the social plug-in is in part comparable to the use of Google Analytics – a service that has been held as non-compliant with German data protection laws by German DPAs in the past – although, so far, this position has not been enforced in practice.

Possible solutions

With respect to social plug-ins, it might be an option for website providers to include the respective content as their own data and not as an iFrame in their websites. This would at least ensure that the mere loading of a website containing a social plug-in would not entail the transfer of personal data to the provider of the respective social media service. In a further step (eg, after clicking on the respective button), the user's consent regarding the transfer of his or her personal data to the provider of the respective social media service could then be obtained before the log-in page of the social media service was opened and the data transferred.

In a frequently asked questions document published on August 23 2011, the Schleswig-Holstein DPA highlighted that the above-mentioned implementation might be a possible option. However, the Schleswig-Holstein DPA did not clearly state whether such an implementation would fully comply with German data protection laws. Also, it would need to be ensured that such use of the logo as the website provider's own data would be covered by the respective licences granted by the social media service providers.

Therefore, a work-around as described above may still be risky. First, it would still be a challenge to draft a legally compliant wording for the consent declaration, particularly as the DPA found that the wording used in the terms and conditions of social media sites might be insufficient (eg, one provider substantially extended its privacy policy – a statement of the DPA as to whether the changes made are regarded sufficient is still outstanding). Second, the proposed solution would still not provide the data subject with the right to object (which would require technical modifications by the social media service itself).

Comment

The likelihood of a website provider that uses social plug-ins becoming subject to an enquiry (or even a fine) by a German DPA is difficult to predict. However, the Schleswig-Holstein DPA had already announced that it planned to take action after the expiry of the September deadline. It remains to be seen how DPAs in the rest of Germany will react.

What is clear from these recent developments is that, generally, German DPAs tend to proceed against domestic companies, while cooperating with websites such as Facebook and Google. This is because it has proved difficult in the past to initiate proceedings against the website providers themselves (due to the fact that the respective legal entities are situated in foreign countries). Instead, it now appears that liability will be placed upon domestic users of social media services.

For further information on this topic please contact Hendrik Schöttle at Osborne Clarke by telephone (+49 89 5434 8000), fax (+49 89 5434 8005) or email (hendrik.schoettle@osborneclarke.de).


Comment or question for author

ILO provides online commentaries as specialist Legal Newsletters. Written in collaboration with over 500 of the world's leading experts and covering more than 100 jurisdictions, it delivers individually requested information via email to an influential global audience of law firm partners and international corporate counsel. Please click here to register for the service.

The materials contained on this website are for general information purposes only and are subject to the disclaimer.

ILO is a premium online legal update service for major companies and law firms worldwide. In-house corporate counsel and other users of legal services, as well as law firm partners, qualify for a free subscription. Register at www.iloinfo.com.